Home » Avoiding Mistakes

Avoiding Mistakes

April 1, 2008

There are numerous mistakes that enterprises and their chief security officers make when planning to protect valuable corporate data.

It’s natural. Mistakes are made in security everyday, causing companies scrambling to recover from breaches that have compromised some of, if not all, important corporate data. It’s also apparent that most breaches occur from mistakes that could be avoided.

The five following mistakes are the most common.

MISTAKE NUMBER 1: NOT KNOWING WHERE YOUR SENSITIVE DATA RESIDES

A lot of enterprises and their chief security officers are unaware of where their sensitive data resides. This is a large problem because it forces a reactive approach to securing their data. Even worse, they struggle with the question of what data was compromised. Many regulations, including the Payment Card Industry standard, “scope the environment” for sensitive data as the first step in determining the complexity to secure or become compliant. Once process mapping has occurred, companies can apply appropriate security to the “segmented environment” and manage the associated risk. Gramm-Leech-Bliley (GLBA) requires all financial organizations, including credit unions, to perform a risk assessment. Part of any risk assessment is to perform a mapping to high value business process; map the data associated and correlate it to the underlying infrastructure, thus producing a true identification of risk.

As with all regulations and security frameworks, the ability to respond to a breach is critical. Performing a risk assessment or process mapping makes it much easier to respond.

MISTAKE NUMBER 2: NOT CLASSIFYING DATA

What type of data do you store, process or transmit that should be protected? Most enterprises do not classify their data, hence they protect critical data the same as non-sensitive data.

One area that the federal government has excelled in for many of years over the private sector (commercial) is classification of data. The federal government has invested significant funds to protect classified data. An integral part of classification of data is compartmentalizing. Simply put, it is splitting up or segmenting data based on type. Understand what data you store, process or transmit (Mistake number 1), then you can group systems and business processes that only use those data elements. In some instances, you may have several data elements that are used. When this occurs, the ability to cross matrix data security requirements (maybe regulatory also) becomes essential.

MISTAKE NUMBER 3: NOT SECURING DATA THROUGHOUT ITS FULL LIFE SPAN

A common misconception among enterprises and their security operations is that once the data leaves their “control” they no longer have an obligation to protect it.

A very easy way to define ownership of data is if the data originates with you, you own it, PERIOD! This author’s long time mentor and now CISO of Diebold, Scott Angelo, would also say “cradle to grave,” you must protect the information until it is properly destroyed or rendered unusable. A good example is a commerce site. Developed by a third party Web company, hosted by a hosting provider and managed by a managed service company, in this relationship all parties share in the responsibility of securing the data.

MISTAKE NUMBER 4: COMPLIANCE-BASED SECURITY

Some companies are still waiting for regulatory compliance to drive their security organization and, consequently, their budgets. It is this author’s belief the audits audit and security secures.

This means that using regulatory compliance as a primary driver and framework for securing the enterprise will never properly secure the data. The biggest problem with security today is obtaining budget. This can easily be solved by presenting the risk to top management and allowing him or her to accept the risk or mitigate (obtaining budget) the risk. Either way you do not own the risk anymore. However, to understand the risks, you must perform frequent assessments and consistently report changes in the overall risk posture.

MISTAKE NUMBER 5: HAVING COMPANIES WITHOUT EXPERTISE HANDLING SECURITY

Well this seems like a no brainer, but there are some companies that rely on their security from their service providers. While this has its economical advantages, it will not make the enterprise secure. Having a security firm that specializes in information protection, specifically, the data you are trying to protect, will greatly increase your return on investment.

I want to hear from you. Tell me how we can improve.

BNP Media Owner & Co-CEO, Tagg Henderson

Ken Stasiak is co-founder and CEO of SecureState LLC, an information security assessment and protection firm, Cleveland, Ohio.

You must login or register in order to post a comment.

Risk impacts every organization, and critical events and can cripple your operations if they’re not properly managed. For organizations focused on risk resiliency, the command center is quickly becoming the operational hub of risk management within an organization: the nerve center for risk.

At the center of an organization's security operation stands its nucleus, one of the most important pieces for overall functionality: the global security operations center (GSOC). But that can look different based on goals, budget and overall vision. However, one commonality remains: the GSOC is where a variety of systems and solutions come together to provide a singular operational picture, mitigate threats and promote enhanced communication during an incident.

Security Magazine

2020 April

This month in Security magazine: meet the global security team at Boston Scientific - five female professionals with diverse background and skills who are creating a best-in-class enterprise security team while ensuring the safety and security of employees, customers and patients. Also this month, we highlight Kristin Lenardson and her successful career in protective services. Security experts discuss whistleblowing, the CCPA and more.

View More Create Account